Oracles Silence on Database Security Wearing Thin

Opinion: Oracle knows about 34 security flaws reported back in the winter, and it has the patchesso when will it share?

For a company that boasts of an "unbreakable" database, Oracle sure is being lackadaisical about a nasty clump of critical security flaws that Next-Generation Security Software uncovered back in January or February.
So far, Oracle has told the media that:
a) It knows about the flaws. That means there are norepeat, noissues with recreating the flaws in the lab. Thats a problem that often hampers software companies as they try to mimic the conditions that security researchers have managed to create in order to find a given glitch.

b) It has managed to create fixes. The patches are done. Theyre ready. In other words, theres no reason why your Oracle database should be sitting around with 34 security vulnerabilities that could allow buffer overflow attacks and/or remote, unauthorized access to databases via SQL injection techniques.

c) It responds as quickly as possible when security flaws are discovered. Whaaaa ... ? According to ComputerWeekly, Oracle sent a statement saying, "When software security flaws are discovered, Oracle responds as quickly as possible with patches and workarounds to help protect information secured by customers in Oracle-based information systems."
Its been a good seven or eight months since the vulnerabilities were discovered. Sure, eight months seems like it would be "as quickly as possible." For a roomful of monkeys arbitrarily hitting keys to come up with a security fix. On broken keyboards.
Read more here about Oracles delay in releasing fixes.

The patches are ready. And yet still there resounds from Redwood Shores, Calif., a deafening silence, with no word from Oracle on when the patches will be released, nor any explanation of why this prolonged delay has occurred.
Nor is there any mention of the vulnerabilities on Oracle Technology Networks security alerts page, on which the most recent security bulletin relates to the June report of vulnerabilities in Oracle e-Business Suite.
Why the delay?
A rumor that has not been confirmed or denied by Oracle is that the company is planning to switch to a monthly, cumulative patch-release schedule, as Microsoft has done. The company is supposedly holding onto the bug fixes until it manages to ramp up this new procedure.
The rumor sounds plausible, according to Gartner analyst John Pescatore, whos been chatting with Oracle about the move. Gartner counseled Microsoft on its initial foray into monthly releases, and Pescatore told me he had a chat with Oracle a few months back on this subject, but he hasnt heard confirmation one way or the other on whether its a go.
In the meantime, should you worry about the bugs? Nah, probably not. As Pescatore and a handful of Oracle experts pointed out to me, Oracle databases tend to be pretty tight security-wise, residing as they most frequently do behind firewalls and manned by DBAs who were smart enough to become Oracle DBAs in the first place and therefore can pretty much be relied on to be smart enough to run secure databases.
Click here to read about security "gotchas" to avoid in your database.
Now, I wouldnt go so far as to hop on the bandwagon when it comes to criticizing David Litchfield of NGSS for spilling the beans on the bugs. Theres a lot of history between Oracle and Litchfield, but as he mentioned in a recent interview, he was finding Oracle bugs before the silly term "unbreakable" hatched in the dreams of Oracles marketing geniuses.
Still, on the other hand, bear in mind that finding bugs creates an awful lot of free press for security firms.
But were still left with this question: Why the silence? Im still trying to figure that one out, but the easy guess would be that Oracle doesnt like to wear the dunce cap when it comes to security. Thats a pity.
Microsoft deserves a heap of kudos for the security work its done since the Secure Computing Initiative was rolled out. If it keeps getting hit, its hardly surprisingwhen you have a target as large as a barn, youre going to suffer some gunshot damage.
Write to me at lisa_vaas@comcast.net.eWEEK.com Associate Editor Lisa Vaas has written about enterprise applications since 1997. Check out eWEEK.coms Database Center at http://database.eweek.com for the latest database news, reviews and analysis.

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.